Senate Steps Into The Data Breach Controversy

A top executive at the retail chain Target went to Capitol Hill today to try to explain the massive security breach that hit the company in December. Hackers stole personal information of tens of millions of Target customers during the holiday shopping season. The incident has underscored the increasing sophistication of cyber criminals and the vulnerability of big retailers. NPR's Jim Zarroli has more on the hearing.

JIM ZARROLI, BYLINE: Target's chief financial officer, John Mulligan, told the Senate Judiciary Committee that records for some 40 million debit and credit cards had been stolen, including some PIN numbers. And 70 million customers had personal information such as email addresses taken.

JOHN MULLIGAN: We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back.

ZARROLI: Mulligan said the company learned about the breach from the Justice Department and the Secret Service on December 13th. Over the next few days, Target confirmed the infiltration. Mulligan said the hackers had stolen a vendor's credentials and used them to gain access to the computer network. They were then able to put malware on store registers.

MULLIGAN: We had in place multiple layers of protection, including firewalls, malware detection, intrusion detection and prevention capabilities, and data loss prevention tools. But the unfortunate reality is that we suffered a breach.

ZARROLI: Over the next few days, Target disabled the malware and told its payment networks what had happened. It wasn't until December 19th that it informed customers. Mulligan said the company has been reviewing its network to make it more secure. It will accelerate a $100 million program to introduce computer chips in credit cards, which are harder to counterfeit. But the incident underscores what retailers and their customers are up against in an age of ever more sophisticated cyberattacks. Fran Rosch, senior vice president of the software company Symantec, says in the past, cybercriminals would create a single piece of malware and deliver it to millions of computers. Once it was identified, he said, it could be stopped by anti-viral software.

FRAN ROSCH: Today, cybercriminals can take the same malware and create unlimited unique variants that can slip past basic AV software.

ZARROLI: Another retail company that has seen its network compromised lately is Neiman Marcus. Michael Kingston, the store's chief information officer, said that transactions from almost all of the company's 85 stores were exposed to malware last year. Kingston said more than a million people may have had their payment card information stolen.

MICHAEL KINGSTON: We have never before been subjected to any sort of significant cybersecurity intrusion, so we have been particularly disturbed by this incident.

ZARROLI: Kinston said the infiltration happened between July and October, but it wasn't discovered until much later.

KINGSTON: Because of the malware's sophisticated anti-detection devices, we did not learn that we had an actual problem in our computer system until January 2nd.

ZARROLI: Today's hearing was held at a time when Congress is trying to decide how to battle cybercrime and what security standards to set for businesses. While big retailers have security programs in place to fight hacking, they've often lagged behind the criminals. The huge number of people affected by these recent data thefts has shown how big the potential problem is and what's at stake for consumers. Jim Zarroli, NPR News. Transcript provided by NPR, Copyright NPR.